The Small Business Cost of Cybersecurity


$117,000! $117K is the answer to the question we receive more often than any other. It’s not always asked directly, and is usually metered out in guarded bite-sized chunks like...’We’re fine, we use (a third-party) cloud provider for (security, email, data storage, backup, etc)’ or ‘We don’t need security we’re on (a third-party network.)’ My favorite is, ‘We’re not big enough, we don’t have time to worry about $h!T like that.” The sad truth is, small businesses aren’t big enough to NOT worry about their cybersecurity and will either make time.

If you are skeptical, you are in good company. 87% of small business owners believe they are not at risk of being the next victim of a cyber-attack. Which brings us back to the $117K question. That question being, “why should I care about that?” And as above, my reply is, well how about 117K reasons? With “reasons” being analogous to the average post-compromise cost in dollars to small businesses in 2017. How about an even more sobering fact… 60% of small and medium-size business go out of business within 6 months of experiencing a cyberattack!

I’m no accountant, but I’m pretty sure that if your business discovered that $117K worth of your balance sheet was on an unplanned vacation to St. Petersburg and was never coming home, many a job, or the entire company might also be going on a permanent vacation.

Ok Now What?

A great place to start is surprisingly with good ole Uncle Sam. Why you ask? For one thing it’s free. Yours and my taxes already paid for it, so there you are, at no additional cost to your business, you’re welcome. Secondly, and more importantly, the government got this one right (unlike the single vendor healthcare.gov disaster). The Govies took a best of breed (forced conscription) approach spanning multiple years and integrated the contributions of industry, academia, and the public sector.

By following these two federal National Institute of Standards and Technology (NIST) guidelines, small business and truly all businesses will mitigate the vast majority of threats:

  1. Small Business Information Security: The Fundamentals, NISTIR 7621, R1

  2. NIST Cybersecurity Framework 1.1

And for the other 99% of you who have better things to do than read IT governance guidelines, here is the Reader’s Digest version:

  1. Know your priorities – Know and document the business value of your data and data systems.

  2. Make risk-based decisions – Make decisions based on what is most likely to have the most impact on business operations.

  3. Plan and then protect your information. (using the NIST Framework)

i. Identify – develop/implement policies to limit who accesses what data 
ii. Protect – develop/implement programs to regularly encrypt, upgrade and patch systems
iii. Detect - implement anti-virus, intrusion prevention and network logging
iv. Respond – develop/exercise your disaster/security incident plan 
v. Recover - develop/test data backup recovery plan, consider cyber insurance

Once you’ve done the above hard work, or if it all sounds like too much, we’re here to help. We help companies every day to protect themselves from the cybersecurity risks that could endanger their customers, their data, or their very business.

References